[Openstack] [neutron] neutron-server iterating over all security groups, not just those in the project

Michael Dorman mdorman at godaddy.com
Thu Feb 6 00:36:02 UTC 2014


We're seeing an issue where neutron-server (Havana) iterates over all security groups (with an individual SELECT query for each), rather than just the security groups in the tenant.  We can trigger this by creating a port using the default security group.  If we specify no security groups, or a specific security group, it works fine.

We have ~1000 tenants and 10 security groups in each tenant in this environment.  So this ultimately results in 10k SQL queries, which tanks neutron-server for a few minutes.  Note that all the tenants are in the same network.

Still trying to run down where in the code this is happening.  But I've been able to trace the SQL queries up to when it starts the iteration:  http://pastebin.com/ZkP5idkJ

You can see where the first two queries get the groups/rules just for the specific tenant.  But then after that, it's the same queries, but for groups/rules in all tenants.

We will continue looking into it to see what we can find, but any suggestions or ideas would be appreciated.

Thanks,
Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140206/2d5a6b04/attachment.html>


More information about the Openstack mailing list